crypto/cipher: BlockMode and HSMs #26787
I am a maintainer of a Go package which provides access to keys held in PKCS#11 HSMs to Go programs, using (as far as possible) native Go crypto APIs.
For asymmetric keys, this was a pleasant experience. It was straightforward to expose ECDSA keys via crypto.Signer. The interface was obviously designed with HSMs in mind (and we appreciate the thought l-)
Currently I am adding support for symmetric keys. This can be made to work but certain operations are very slow, due to a mismatch between the PKCS#11 API and the Go crypto/cipher APIs.
Specifically, to efficiently perform 'bulk' crypto operations, the PKCS#11 API requires a sequence of three calls:
Even if the mode in question does not produce any ciphertext in the call to
It is possible, of course, for a
My questions/requests in this issue are:
See ThalesIgnite/crypto11#6 for additional information, although I believe I've captured everything relevant above.
What version of Go are you using (